AWS Server Migration Service
User Guide

Getting Started with AWS Server Migration Service

From a client computer system on your LAN, complete the following steps to set up the AWS Server Migration Connector in your VMware environment.

To set up the connector

  1. Download the Server Migration Connector (current version, a preconconfigured FreeBSD VM in OVA format that is ready for deployment in your vCenter.

  2. Create a new IAM user for your Connector to communicate with AWS, and save the generated access key and secret key for use during the initial connector setup. For information about managing IAM users and permissions, see Creating an IAM User in Your AWS Account.

  3. Attach the managed IAM policy ServerMigrationConnector to the IAM user. For information about IAM policies, see Managed Policies and Inline Policies.

  4. Use one of the following procedures to create an IAM role that grants permissions to AWS SMS to place migrated resources into your EC2 account. In most cases, Option 1 will work. If you find that no template for AWS Server Migration Service exists in your AWS region (in Option 1, Step d), proceed to Option 2.

    Option 1

    Use this option in AWS regions that make an IAM role template available.

    1. Open the IAM console at

    2. In the navigation pane, choose Roles.

    3. Choose Create new role.

    4. On the Search role type page, find AWS Server Migration Service and click Select.

    5. On the Attach Policy page, select ServerMigrationServiceRole and click Next Step.

    6. On the Set role name and review page, in the Role name field, type sms (recommended). You can optionally apply a different name, but you then need to specify the role name explicitly each time you create a replication job.

    7. Click Create role. You should now be able to see the sms role in the list of available roles.

    Option 2

    Use this option in AWS regions that do not make an IAM role template available. (This option also works as a manual alternative to Option 1 in all regions.)

    1. Create a local file named trust-policy.json with the following content:

      { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "sms" } } } ] }
    2. Create a local file named role-policy.json with the following content:

      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:ModifySnapshotAttribute", "ec2:CopySnapshot", "ec2:CopyImage", "ec2:DescribeImages", "ec2:DescribeSnapshots", "ec2:DeleteSnapshot", "ec2:DeregisterImage", "ec2:CreateTags", "ec2:DeleteTags" ], "Resource": "*" } ] }
    3. At a command prompt, go to the directory where you stored the two JSON policy files, and run the following commands to create the AWS SMS service role:

      aws iam create-role --role-name sms --assume-role-policy-document file://trust-policy.json aws iam put-role-policy --role-name sms --policy-name sms --policy-document file://role-policy.json


    Your AWS CLI user must have permissions on IAM. You can grant these by attaching the IAMFullAccess managed policy to your AWS CLI user. For information about managing IAM users and permissions, see Creating an IAM User in Your AWS Account.

  5. To call the AWS SMS API with the credentials of an IAM user that does not have administrative access to your AWS account, create a custom inline policy defined by the following JSON code and apply it to the IAM user:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sms:*" ], "Resource": "*" } ] }

    For information about managing IAM users and permissions, see Creating an IAM User in Your AWS Account.

  6. Set up your vCenter service account. Create a vCenter user with permissions necessary to create and delete snapshots on VMs that need be migrated to AWS and download their delta disks, as shown in the following procedure.


    As a best practice, we recommend that you limit vCenter permissions for the connector’s service account to only those vCenter datacenters that contain the VMs that you intend to migrate. We also recommend that you lock down your vCenter service account’s permissions by assigning this user the NoAccess role in vCenter on the hosts, folders, and datastores that do not have any VMs that you plan to migrate.

    Create a role in vCenter with the following privileges:

    1. Datastore > Browse datastore and Low level file operations (Datastore.Browse and Datastore.FileManagement)

    2. vApp > Export (VApp.Export)

    3. Virtual Machine > Snapshot management > Create snapshot and Remove Snapshot (VirtualMachine.State.CreateSnapshot and VirtualMachine.State.RemoveSnapshot)

    4. Assign the role as follows:

      1. Assign this vCenter role to the service account that connector will use to log in to vCenter.

      2. Assign this role with propagating permissions to the datacenters that contain the VMs to migrate.

    To manually verify your vCenter service account’s permissions, verify that you can log in to vSphere Client with your connector service account credentials, export your VMs as OVF templates, use the datastore browser to download files off the datastores that contain your VMs, and view the properties on the summary tab of the ESXi hosts of your VMs.

  7. Set up the connector.

    1. Deploy the connector OVA downloaded in step 1 to your VMware environment using vSphere Client.

    2. Power on the deployed connector VM and obtain its IP address.


      For more information about assigning a static IP address to the connector VM, see Advanced Network Configuration for Server Migration Connector.

    3. Configure the deployed connector VM with IAM credentials and vCenter credentials:

      1. In a web browser, access the connector VM at its IP address (https://ip-address-of-connector/) to open the setup wizard.

      2. Choose Get started now.

      3. Review the license agreement, select the check box, and choose Next.

      4. Create a password for the connector.

      5. If you wish to assign a static IP address to the connector, follow the instructions in Advanced Network Configuration for Server Migration Connector.

      6. Choose Upload logs automatically and Server Migration Connector auto-upgrade.

      7. For AWS Region, choose your region from the list. For AWS Credentials, enter the IAM credentials from step 2. Choose Next.

      8. For vCenter Service Account, enter the vCenter hostname, username, and password from step 3. Choose Next.

      9. After accepting the vCenter certificate, complete registration and then view the connector configuration dashboard.

      10. Verify that the connector you registered shows up on the Connectors page.